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Abstract. The scenario-based specification of a large distributed sys- 
tem is usually naturally decomposed into various modules. The inte- 
gration of specification modules contrasts to the parallel composition of 
program components, and includes various ways such as scenario concate- 
nation, choice, and nesting. The recent development of multiparty session 
types for process calculi provides useful techniques to accommodate the 
protocol modularisation, by encoding fragments of communication pro- 
tocols in the usage of private channels for a class of agents. In this paper, 
we extend forgoing session type theories by enhancing the session inte- 
gration mechanism. More specifically, we propose a novel synchronous 
multiparty session type theory, in which sessions are separated into the 
communicating and integrating levels. Communicating sessions record 
the message-based communications between multiple agents, whilst in- 
tegrating sessions describe the integration of communicating ones. A 
two-level session type system is developed for vr-calculus with syntac- 
tic primitives for session establishment, and several key properties of the 
type system are studied. Applying the theory to system description, we 
show that a channel safety property and a session conformance property 
can be analysed. Also, to improve the utility of the theory, a process 
slicing method is used to help identify the violated sessions in the type 
checking. 



1 Introduction 



The description of service accesses in protocols has been long considered as a way 
to improve the interoperability of program components in a complex comput- 
ing system, and this is the case for various architecture description languages 
(e.g. Darwin [19], Wright [1], and PADL [2]) and component-based platforms 
(e.g. Coyote [3] and Appia [1^). Formal validation methods including model 
checking and static checking are employed to aid the detection of composition 
mistakes such as deadlocks and race conditions. For large distributed systems, 
the specification is usually modularised. Studies on session types |14I10| for pro- 
cess calculi in the dialect of 7r-calculus [24], especially the recent development 
of multiparty session types [IS], provide useful techniques to accommodate the 
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protocol modularisation. Informally, a session is a unit of message-based com- 
munications with a specific purpose. The suitability of session type theories for 
describing distributed computing includes two aspects: 

- Session type theories provide a global descriptive method for protocols, fa- 
cilitating the protocol design and verification; 

- To handle protocol modularisation, type systems in session type theories 
project fragments of the protocols on the usage of private channels for in- 
tended classes of participants. 

However, the origin of session type theories assumes the interleaving situa- 
tion of different independent behavioural threads |13j , but in real- life distributed 
computing, there are often meaningful interplays between a number of sessions. 
As an example, the following business protocol consists of four sessions between 
five agents. A broker and two buyers are in the auction session Auction (where 
Auction is seen as a global description of the auction protocol). Auction is fol- 
lowed by a transaction session between the auction winner, the broker, and the 
seller. Two alternative transaction protocols are given for the winner to choose: 
DTransaction is a direct protocol, in which the winner directly transfers money 
to the seller; STransaction is a secure protocol, in which the money is transferred 
via the broker and an extra (sub-)session EPay money transaction between the 
winner, the bank, and the broker is involved. Therefore, the whole business pro- 
tocol is the integration of four sessions in the intended ways. It is indeed possible 
to view the protocol as inseparable, but so-doing violates both the natural under- 
standing of the protocol and the gradual procedure of requirement specification. 

To improve the session integration mechanism for session type theories, we 
argue for the merits of separating sessions into two levels. In the present pa- 
per, we propose a theory of two-level synchronous multiparty session types, in 
which communicating sessions specify the end-point communications of multiple 
components, whilst integrating sessions describe the gluing of communicating 
sessions by concatenation, choice, interleaving composition, and nesting compo- 
sition. Compared with the existing studies in this subject, e.g. |4|15|28|8"|7] . in ad- 
dition to the separation of session communication and integration, the novelty of 
our work includes the following aspects. First, we view sessions as a behavioural 
rather than data-structural approximation of processes. Besides for statically 
typing processes in a variant of 7r-calculus, session types are also executable 
and equipped with intuitive operational semantics. In the forgoing session type 
theories, sessions as the specification leave out data structures required in the 
implementation, but based on the operational semantics of sessions, we investi- 
gate the behavioural relation between processes and sessions. We demonstrate 
that, in spite of session modularisation and integration, behaviours of processes, 
if typed properly, conform to their session specification. Second, the most recent 
work on session types witnesses a trend to introduce more expressive session con- 
structs and, correspondingly, more syntactic primitives in the underlying calculi, 
but the ramification of communicating and integrating sessions in our work does 
not complicate the syntax of the process calculus. Lastly, to improve the utility 
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Fig. 1 Syntax of the calculus 



p 


:= TV.P 


prefixing 


1 X 


variable 




1 {^a)P 


liiding 


1 [recX]P 


recursion 




\ r: P 


labelling 


1 P + P 


choice 




1 


inaction 


\ P \ P 


parallel 


a 


:= TT 


action 


1 ''' 


silence 


TT 


:= a[2..7i](c) 


invitation 


1 aTv 


receiving 




1 


acceptance 


1 a\v 


sending 



of the theory, we use a process slicing method to help identify the violated ses- 
sions in the type checking. The method decomposes a process into parts with 
respect to sessions in its session specification and compares each part with the 
role projected from a corresponding session. 

The organisation of the remainder of the paper is as follows. In the next 
section, we present a process calculus with actions for multiparty session estab- 
lishment. In Sect, m we define the syntax and semantics of communicating and 
integrating sessions, together with methods to project sessions into roles for pro- 
cesses. In Sect. 131 we develop a two-level session type system and study several 
key properties of the type system. In Sect. [SI we apply the session type theory 
to system description and analyse a channel safety property and a behavioural 
property of session conformance. In Sect. |6l we use a process slicing method to 
facilitate the identification of violated sessions in type checking. In Sect. [7l we 
discuss the related work to this paper. Finally, we conclude the paper by outlin- 
ing the future work. More examples and proof details of the theorems are in the 
Appendix. 

2 The Calculus 

This section defines a variant of 7r-calculus. In the next two sessions, a type dis- 
cipline based on two-level session types is developed for the calculus. Compared 
with the existing session type literature, the syntax of our calculus is abstract 
and close to the original presentation of 7r-calculus. Our intention is to minimise 
the side techniques (we return to this point in Sect. [71) ■ 

The basic sets are a set of channels (a, b, c, c'), a set of messages or message 
types (u,v,v'), and a set of participant names (p, g, r, 1, 2, ect.). The syntax 
of processes and actions is given in Figure [Tl Sessions, which are informally 
understood as units of interactions, are established by shared channels. The key 
syntactic primitives for channel establishment are of the forms a[2..n](c) and 
0[fe](c), which are due to [TSl. These two prefixes are called session actions and a 
is called a session channel. 0,^2. .n] (c) invites participants 2 to n to join in a session 
whose communicating channels are c, whilst a[fe] (c) accepts a session invitation. 
By the operational semantics, when the actions a[2. and a[k](c) (for each 
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Fig. 2 Structural congruence 

P\Q = Q\P P\0 = P {P\Q)\R = P\{Q\R) 
P + Q = Q + P P + = P {P + Q) + R = P+{Q + R) 
{ua)0 = {ua){ub)P = {vb){va)P {va)P \ Q = {ua){P \ Q) ii a ^ ic{Q) 
[recX]OEEO [rec = i? if X ^ fv(_R) P = Q if P =c Q 
I' : I : P = 1' : P I : P \ I : Q = I : (P \ Q) I: {va)P = [va)l : P 



2 < k < n) are triggered synchronously, a session is established via the session 
channel a and a sequence of fresh communicating channels c are generated (unlike 
|15j . in which the message transport is asynchronous). In r : P, r labels P and is 
seen as the name of P. In some literature, it is also called the location of P [T2]. 
Other syntactic primitives and constructions are standard and from 7r-calculus. 

Binders are a in (i/a)P, c in a[2..„](c).P or a[j.](c).P, and X in [recXjP. Sub- 
stitution of channels are standard. In particular, ([recX]P){a/6} = [rec X](P{a 
/b}). {va)P stands for [vai) . . . (van)P where a — oi, . . . , a„. The left-associative 
law is adopted when presenting multiple | or +. We assume the bound name con- 
vention for processes. Let fc(P) and fc(a) denote the set of free channels in P 
and a, respectively. fv(P) is the set of free process variables, and act(P) the set 
of prefixes in P. Supposing a — fc(P) and |c| = |a|, P(c} refers P{c/a}. 

The structural congruence = is the smallest congruent relation on processes 
that includes the equations in Figure ^ P —a Q means that P and Q are 
variants of alpha-conversion. Note that we leave out the equi-recursive equation 
(e.g. [recXJP = P {[rec X]P / X}) in the structural laws (it is called recursion-free 
or replication- free structural congruence in some literature [9]). Consequently, 
we have the decidability of structural congruence. 

Lemma 1 For any given P,Q, it is decidable if P = Q. 

li X e fv(P), we let pI-^1 be [recX]P; otherwise, Pl-^l is P. P C Q means 
P -I- P = Q for some R, and P \Z Q means P -f P = Q for some P ^ 0. P U Q 
is defined as follows: if Q C P then PUQ = P; if PcQ then P U Q = Q; 
otherwise, P U Q = P + Q. 

The operational semantics are given through a labelled transition system 
defined by rules in Figure |3l In the session type literature, the semantics of the 
process calculus is defined as a reduction system instead of a labelled transition 
one. The advantage of the former over the latter is a simpler presentation. But 
because one of our purposes in the present paper is to study the behavioural 
relation between processes and their session types, the standard operational 
semantics are more suitable to this end. The rules [Inv] , [Acc] , and [Sess] handle 
the session establishment, and their intuitive meanings have been explained. 
[Lab] is for process labelling. The rest of the semantic rules are standard. 

Let proc(P) = {Q \ P Q}. P stimulates Q, denoted P ^ Q, if there is 
a relation S C proc(P) x proc((5) such that if (P, Q) & S and Q Q' then 
there is P' such that P ^ P' and (P', Q') G S. We use P Q to mean 
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Fig. 3 Operational semantics 



[Sed] a\v.P-^P [Rev] a?v.P^P 

[INV] a[2..„](c).p"''^*°'p [Acc] a[,j(g).p"'^''p{c7c} 

P " s P' P " i P' 

[PAR] „ , ^ . „. , ^ [Sum] ^ 



PIQ^P'IQ P + Q-^P' 

P^P' Q^Q' P^P' ic{a)^a 

Com — — Hid — ^ ' 

P\Q^P'\Q {va)P {va)P' 

[Sess] r ^ iV2S»<nj jj^^^j 



Pi|...|P„^(i.c)(Pi'|...|PA) ' i.,p^i.,p, 

ro 1 P^P' . P = Q Q ^Q' Q' = P' 

Reg Eqv — - — — — 

[lecXjP P'{[recX]P/X} P P' 



that there is R such that P — > R and R>- Q. We say P is deterministic (up 
to structural congruence) if for each Q e proc(P), Q ii and Q i?' entail 
R = R'. 

Examples of agent behaviours We provide a detailed, but informal descrip- 
tion of the interactions between the; five agc^nts in the example from Introduction, 
and then formulate their individual behaviours in the calculus. In the upmost 
level, the whole business protocol is divided into two stages. The first stage is 
for the auction session and the second one includes two alternative transaction 
sessions and a possible nested sub-session. 

At the auction stage, the broker initiates the auction session with two buy- 
ers, i.e. buyerj^ and buycrj. For simplicity, we assume that the buyers already 
know the base price of the auctioned item. After the auction is initiated, buyer 
(resp. buyerj) sends its bid to the broker and the protocol reaches a recursive 
state. In the recursive state, the broker sends a new quote to the other buyer 
and the protocol proceeds in the following two alternative branches, (a) If the 
other buyer does not bid (after some amount of time), then the broker issues 
an invoice to buyer (resp. buycrg), finishing the auction, (b) If the other buyer 
bids, then the broker forwards the latest quote to buyer;^ (resp. buyerj) and, 
again, the protocol has two sub-branches: (bl) if buyer^ (resp. buyer2) contin- 
ues to bid, then the protocol returns to the recursive state; (b2) otherwise, the 
broker issues buyerj (resp. buyer^) an invoice to finish the auction. 

At the transaction stage, the buyer that won the auction initiates one of the 
following two transaction options, (a) If the direct transaction is chosen, then 
the broker forwards the price to the seller, and the buyer makes the payment 
to the seller and receives the ordering information, (b) If the secure transac- 
tion is chosen, an extra bank transfer session is involved. The buyer authorises 
the bank to transfer an intended amount of money to the broker. The broker 
holds the money but informs the seller that the pre-payment is ready, and seller 
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sends the ordering information to the buyer. After receiving the item, the buyer 
sends a confirmation message to the broker and the broker finaUses the deal by 
transferring the pre-payment to the seller. 

The formal description of the broker's behaviour is given by the following 
process. 

-Pbroker =^ auc[2..3] (ai,2 , 01,3) . ^ (oi^i+i ?bid. [rec X] (ai,4_i!quote. 

»e{i,2} 

(ai,i+i!invoicc. Pbroker + ai,4-i?bid. ai.,;+i!quote. 
(ai,i+i?bid. X + oi,4-i!invoice. Pb^oker)))) 

def 

-^broker = dTraup] (61,2, &2,3)- 62,3'price. + sTran[2](ci,2,ci,3,C2,3)- 
epay[2](di,3,'i2,3)- (ii,3?transfer. C2,3!prepaid. 
Ci,2?confirm. C2,3!payment. 

As explained before, the session is established via shared channels, i.e. ses- 
sion channels, one of which is auc. The prefix auc[2..3] (ai,2, 11,3) initiates a 
session with another two participants (three in total), which, in this case, are 
the two buyers. dTran[2] (61,2, ^2,3), sTian^] (ci,2, ci,3, 02,3), and cpayj2] (di,3, £^2,3) 
(i G {1,2}) are for accepting session establishment. Other prefixes are ordinary 
prefixes in 7r-calculus. We use aij to denote the channel used by the ith and 
jth agents in the session. For example, 01^2 is the communicating channel be- 
tween the first and second participants, which, in this case, are the broker and 
buyer^. The recursive structure in Pbroker corresponds to the recursive state of 
the auction protocol informally described above. 

The behaviours of the two buyers in the two stages of the protocol follow. 
Leti G {1,2}. 

Pbuyer^ =' auc[j+i] (ai,2, 01,3). aij+i!bid. [rccXi](aij+i?quote. aij+i!bid. X 
-I- aij+i?invoice. Pbuyer.) + oi j+i?quote. [recX2] 
(aij+i!bid. (oi j+i?invoice. Pbuyor^ + ai,j+i?quote. X2)) 

Kuyerj '= dTran|2..3] (6i,3, ^2,3)- foi,3!payment. &i,3?order. + 

sTran'[2..3](ci,2,ci,3,C2,3)- epay[2..3] (di,3, c?2,3)- c;i,3!amount. 
(i2,3?transfer. Ci 3?order. Ci^2!confirm. 

The seller and the bank only take part in the second part of the protocol, 
and their behaivours follow. 

Pseiier =^ ^ (dTraujaj (61,3, 62,3)- 62,3?price. 6i,3?payment. 6i,3!order. 
»e{i,2} 

+ sTran[3](ci,2,ci,3,C2,3)- C2,3?prepaid. ci^slorder. ci,3!payment. 0) 

def 

Pbank = epay[3](rfi,3,rf2,3). rfi,3?amount. d2,3!transfer. 



7 



Fig. 4 Abstract syntax of sessions 



S,T:~ {p,q:v)^S 


communication 


1 end 


termination 


1 {P--S){T} 


establishment 


1 S;T 


concatenation 


1 t 


type variable 


1 S®T 


union 


1 fit.S 


recursion 


1 S<g)T 


product 



The interactions of five processes, i.e. Pbroker, -Pbuyeri, -Pbuyer^, -Pseiier, and 
-Pbank according the operational semantics should follow the presented scenario. 

3 Two-level Session Types 
3.1 Syntax and Semantics 

We provide the general syntax of session types or sessions, and then define 
the two kinds of sessions studied in the present paper, i.e. communicating and 
integrating sessions. 

The general syntax is provided in Figure |4l (p, g : — > 5* is a session of 
communication form, meaning that, after the agent p sends the message (type) 
V to the agent q, the session proceeds as S. {p : S){T} is a session of establishment 
form, meaning that the agents p establish a session S which nests T. The first 
item in the sequence p refers to the participant that initiates S. We call {p, q : v) 
and {p : S) event prefixes. S; T is the concatenation of S and T, S* T is their 
union, and S ®T their product, t is a type variable and /it. 5 is a recursive type 
and binds t in S* in the standard way. A session is close if occurrences of all 
variables in it are bound, end is a terminated session. 

If T is is contained in (the presentation of) S, we call T a sub-session of 
S. pid(S') is the set of participant names in S. S is well-formed, if (1) for each 
sub-session {p,q : v) — > T of S", p 7^ q, (2) for each sub-session {p : T){T'} of S, p 
is distinct and \p\ = |pid(T)|, and (3) for each sub-session T;T' of S, T does not 
contain ®. Hence, well-formedness of sessions rules out self interactions such as 
{p, p : v) and multiple participation of sessions such as {p, p : S). We also require 
the left session of a concatenated session to be single-threaded. For each S, we 
define a set opid(5) as follows: 

- opid(t) = opid(end) = 0; opid(/it.5) = opid(5); 

- opid((p,<z ■.v)^S) = {{p,q}h opid((p : S){T}) = {p}; 

- opid(5' © T) = opid(5 «) T) = opid(S') U opid(T); 

- "if opid(S') ^ 0, then opid(S';T) = opid(S'); and 
• if opid(5') = 0, then opid(5;T) = opid(T). 

Then, race-free sessions are recursively defined as follows. (1) end and opid(t) 
are race-free; (2) if S is race-free, then so is fit.S; (3) if S is race-free and 
{P:Q} H ^ for each H G opid(5'), then {p,q : v) ^ S is race- free for any v; 
(4) if S, H are race- free, then {p : S){T} is race-free; (5) if S, T are race- free and 



8 



Fig. 5 Session structural congruence 

(SS)S')®S" = S®(S' iS)S") S IS) S' = S' IS) S SS)end = S 

{S(g)S')ig>S" = S(g){S' ig>S") S®S' = S'®S S IS) end = s 

(S; S'); S" = S; (S'; S") S; end = S end; S = S 
fit.S = S if t fv(S') S = T if 5 T 



HnH' ^ for each H e opid(S'), H' G opid(r), then 5 T is race-free; (6) if 
5, T are race-free then S(^T is race-free; (7) if T is race-free and pid(S') = 0, then 
5;T is race-free; and (8) if S,T are race-free, pid(S') ^ 0, and pid(S") HH ^ 
for each iJ G opid(T) and each subsession S' of S, then 5; T is race-free. Let p 
be a distinct sequence and |p| = pid(S'). We use S{p) to denote the simultaneous 
substitution of p for pid(S') in S. 

In the following, we restrict the general syntax of sessions and define two 
special kinds of sessions studied in the present paper. 

Definition 1 (Communicating sessions) The syntax of communicating ses- 
sions (B, B' ) contains rules in Figure^except the establishment (i.e. {p : S){T} ). 

For simplicity, for a given communicating session i?, we let pid(_B) be a se- 
quence of consecutive integral numbers from 1. Auction, DTransaction, STrans- 
action, and EPay in Sect. l3.2l below are communicating sessions. However, when 
writing B{p) , p is not necessarily a sequence of consecutive integrals. 

Definition 2 (Integrating sessions) The syntactic rule of restricted estab- 
lishment is a restricted one of the establishment in Figure^ {p : B){T} where 
T is a general session and B is a communicating session. The syntax of inte- 
grating sessions (A, A' ) contains the restricted establishment and constructions 
in Figure^ except the establishment and communication (i.e. (p,q : v) S in 
Figure^. 

Proto in Sect. l3.2l below is an integrating session. We use (p : S) to abbreviate 
{p : S'){end}. In the sequel, we assume that the communicating and integrating 
sessions under consideration are well-formed and race-free. Well-formedness re- 
quirement is due to syntactic legitimacy. We additionally require sessions to be 
race-free, because otherwise their process-level counterparts (obtained by the 
projection method described below) may contain race-conditions. Due to space 
limitations, we leave the detailed discussion for future work. 

The structural congruence of sessions is the smallest congruent relation con- 
taining the equations presented in Figure [51 These laws of structural congruence 
have a strong correspondence to those for processes in Figure [2] Because the 
equi-recursive equation fit.S = S'{^t.S'/t} is left out, the session structural con- 
gruence is also decidable. 

The operational semantics of sessions are presented in Figure [6l where we 
use A to denote p,q : v or p : B. [S-COm] describes the ordinary message-based 
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Fig. 6 Session operational semantics 



[S-COm] {p.,q:v) ^ B"-^ B [S-SESS] {p : B) {A} ^ A <» B {p) 

[S-TIMES] [S-SUM] [S-COn] 

SOT^S'OT serfs' S;T^S';T 
S ^ S' , S = T T ^T' T' = S' 



[S-REC] [S-EQ] 



Mt.S* ^ S'{/it.S/t} S ^ S' 



communications between two participants. [S-SESS] is for the session establish- 
ment and nesting; when a session is established, it runs interleavingly with its 
nested session. Other semantic rules are standard. [S-times], [S-SUm], and [S- 
CON] handle the session production, summation, and concatenation, respectively. 
Recursive sessions are dealt with by [S-REC] and session equivalence by [S-eq]. 

3.2 Examples of Sessions 

We use the syntax of two- level sessions to formulate our business protocol. Proto 
is the session at the integrating level whilst the remaining four are at the com- 
municating level. Their intuitive explanations have already been given in the last 
part of Sect. [2j We can also find a correspondence between Proto and its rough 
description in Introduction. is the multiple case of ®. 

Proto '= (broker, buyer buyer2 : vlitction){}; (buyers, 

ie{i,2} 

broker, seller : DTransaction){} ® (buyer j, broker, 

seller : 5" Transaciion)! (buyer j, broker, bank : EPay){}} 

Auction '= (i, 1 : bid) — > /it.(l, 5 — i : quote) — > 

ie{2.3} 

((1, i : invoice) — ;> end © (5 — 1 : bid) : quote) 

— > ((i, 1 : bid) — > t © (1, 5 — i : invoice) end)) 

DTransaction (2, 3 : price) (1, 3 : payment) — )■ (3, 1 : order) — )■ end 

STransaction (2, 3 : prepaid) — > (3, 1 : order) — >■ (1, 2 : confirm) 
— > (2,3 : payment) — >■ end 

EPay (1,3: amount) — > (3, 2 : transfer) — !> end 

A comparison of the above session formulation and the behavoiural formula- 
tion of the five agents in Sect. [5] leads us to see three advantages of session mod- 
ularisation and integration. First, sessions characterise the interactions between 
processes globally, facilitating the prevention of deadlocks and race conditions. 
Also, sessions are free of channels. Finally, following the principle of separation of 
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concerns, communicating sessions partition protocols into independent modules 
whilst integrating sessions assemble communicating sessions at an adequately 
abstract level. The last aspect is unique to our theory and its merits are two- 
fold: it fits the natural understanding of the protocol and the gradual procedure 
of protocol formulation. 

3.3 Role Projection 

Session roles or roles refer to behaviours of participants acting in sessions. In 
other words, roles are the local description of sessions for participants. Formally, 
roles are represented as abstract processes. The goal of this sub-section is to 
develop mechanisms to project communicating and integrating sessions into their 
roles. The projection forms a basis for the type system developed later. 

We first deal with the projection of communicating sessions. First, we mark 
each occurrence of each event prefix in a given session by a unique channel name. 
Then, we map the given session into processes according to the following rules: 



where the leftmost occurrence of {p, q : v) in {p,q : v) ^ B is marked by c, 
- {B;B')\r = {B\r){B' \r /O}, {B ® B')\r = B\r + B'\r, and {B B')\r = 
B\r I B'\r. 

After the first two steps, we obtain a set of processes such that the message 
flow between them at the runtime (according to the operational semantics) is 
deterministic (and so channel interference is avoided). We say the message flow 
between the Pi to Pm deterministic if Pi | ... | P^ is deterministic. However, 
the number of channels used in sessions many be large. In the third step, we 
apply a channel substitution to the set of roles to optimise channel usage. The 
definition of the channel substitution is subject to practical considerations. For 
example, one may let two agents use the same channel to communicate, just 
as we did for the processes of five agents in the protocol example. The channel 
substitution is legal as long as the message flow between the resulted processes 
remains deterministic. Without confusion, when writing B \r, we always refer 
to the optimised B\r and call it the role of B for r. We can check that the 
projection is well-defined based on the well-formedness of sessions. 

The projection for integrating sessions is similar, but usually the number of 
communicating sessions in an integrating session is not very large, therefore we 
omit the channel optimisation step. First, we mark each occurrence of the prefix 
in a given integrating session by a unique channel name. Then, we map the given 
session into processes according to the following rules: 



endfr = 0, t\r = Xt, {nt.B)\r = [vecXt]{B\r), 
{{p,q:v) ^ B)\r = 




clv.(B \r) a r = p 
clv.{B\r) a r = q 



B\r a r ^ p q 



- end\r = 0,t\r = Xt, {lJ,t.A)\r = [TecXt]{A\r), 
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{p:B){A}\r = 

o.[2..7i\{c)-{A\r) if r = p[l\ A pid(B) = \p\=n ^ 

\ic{B\r)\ ^ |5| A2nfc(Afr) = 
a\k\{c).{A\r) \ir = p[k]A\ic{B\r)\ =\c\ AcfMc{A\r) = 
A\r Mr 

where the leftmost occurrence oi {p : B) in {p : B){A} is marked by a, 
- {A;A')\r = {A\r){A'\r/0}, {A®A')\r = A\r + A'\r, and {A^A')\r = A\r \ 
A'\r. 

The process A \r is the role of A for r. 

The projection is completely automated for integrating sessions, but it pre- 
supposes a legal channel substitution for communicating sessions to optimise the 

channel usage. 

Examples of roles The following set of processes contains roles of Proto for 
five agents (the first five) and roles of all four communicating sessions for the 
broker (the last four). Let j G {1,2}. 

-^broker =^ auc[2..3](ai,2,ai,3)- (dTran|2] (6l,3, &2,3)- + 

ie{l,2} 

sTran[2](ci,2,ci,3,C2,3)- epay|2]((ii,3, c!2,3)- 0) 

-Rbuyer, =^ aUCy+i] (ai,2, ai,3). (dTran[2..3] (&1,3, &2,3)- + 



sTran[2..3](ci,2,ci,3,C2,3)- epay|2. 3](rfi,3, ^2,3)- 0) 



-Rseller = Yl i'^^^^S] (''1.3' ^2,3)- + sTVanjg] (ci,2, Ci,3, 02,3)- 0) 



ie{l,2} 



sTran[2..3](ci,2,Ci,3,C2,3)- epay^, 3^(^1,3, ^2,3)- 0) 
RhLk= Y epay[3](rfi,3,rf2,3)-0 



ie{l,2} 

def 



-^broker = ^ (ai,i+i?bid. [rec Xi] (ai,4_i Iquotc. (ai,i+i!invoice. 0. + 

ie{l,2} 

ai,4_i?bid. ai,,+i!quote. (ai,i+i?bid. Xi + ai,4_, Unvoice. 0)))) 
-^broker C2,3!prepaid. ci,2?confirm. C2,3!payment. 
Rtl'oZ = «'2,3!price. Rl^^er = d2,3?transfer. 



4 Type Discipline for Sessions 
4.1 Type System 

The purpose of the type system below is to efficiently type processes so that the 
'illegal' runtime behaviours of processes are prevented by static type checking. 
The type system is based on the role projection developed earlier. 
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Fig. 7 Typing rules 



rhOoO r,a>B\- a>B 
r,X \- Xt>X or r,X \- Ooc: X 
r\-a>B r\- P>Roc: Bll{c),A pid(_B) = [1, n] 

r ^ a[2..„] (c).P t> a[2..„] {c).R o A 
rhat>B r\- Pt>Roc:B\i{c),A 2 < i G pid(_B) 
r h aii]{c).P>ai,]{c).Ro A 
rhPt>RoA cn (dom(r) Uch(Zi)) = 



r\-Pi>Roc:0,A 
rhPt>RoA cn (dom(r)Uch(Zi)) 







r\-Pi>RoA,c 
r\- P>Roc:Q,A b£c 
r\-b^v.Pf>Roc:b^v.Q,A 

r\- p^RoA r\- p'>R' oA' 



: 

where § £ {!, ?} 
A>iA' 



r h P \ P'>R \ R' o A \ A' 
r\- P\>RoA rh P'>R' oA' A : 



A' 



r h P + P' \> Ru R' o AuA' 
r,X h Pt> Roci : Qi,. . . ,c„ : C 



r\- [rec X]P \> pm o ci : Q 



m 
1 ' 



Ph P\>RoA R = R' A = A' 
Fh P!>R' oA' 
r\- P>Roc:Q,A bee 
r h {ub)P> Ro A,c\b : Q,A' 
Fh P>RoA b^ dom(r) U ch{A) 
rh {ub)P>Ro A 

F^ Pt>RoA 
F\-l: P>RoA 



[T-nil],[T-ch] 
[T-var] 

[T-INV] 
[T-ACC] 

[T-tml] 
[T-tmr] 
[T-sr] 
[T-com] 
[T-sum] 

[T-REC] 
[T-EQ] 

[T-hid] 

[T-VEl] 
fT-LABl 



We define the following syntax: 

r ■.■.= \ r,a>S \ r,X A::= {5, : Q,},;g/ 

A type environment P is a function that assigns sessions to some channels 
(session channels) and typing to session variables. A typing is of the form Ro A, 
where R, called a session typing, is projected from an integrating session, and 
A, called a channel typing, is a sequence of processes labelled by disjoint channel 
sequences. The domain of is a set of channels or variables it acts on. If its 
domain contains channel names only, we say F is pure. Re-ordering of items in 
a type environment F is permitted, but forbidden in a channel typing A. 

The type judgement F h P>Ro A reads 'the typing of P is i?oZ\ under _r.' If 
Z\ = e, we write F \- P> R. Formally, type judgements are defined by the typing 
rules in Figures [71 which are explained later. We also say P is typed or typahle 
by r if there is a typing of P under F . A few auxiliary definitions are given. |Z\| 
is the length of A and A[i\ is the ith item of A where 1 < i < |Z\|. Z\ and A' 
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are compatible, denoted Z\ x Z\', if |Z\| = |Z\'| and A[i] and A'[i] have the same 
labehing sequence of channels for each 1 < i < |^|. Let A — ci : Qi, . . . ,Cn ■ Qn 
and Z\' = ci : Q[, . . . , c„ : Q^. Zi = Zi' if Q,, = Q- for each 1 < i < n. Let Z\ | 
A' =ci:Qi\Q[,-.-,£n:Qn I Q'„ and AU A' = ci : QiUQ[, . . . , : Q„ U Q'„. 
ch(Z\) is the set of all labelling channels in A. 



[T-iNv] and [T-ACC] are for session invitation and acceptance, and [T-Sr] for 
the ordinary communication. [T-tml] and [T-tmr] are needed because A 'x. A' 
is used in the pre-conditions of [T-COm] and [T-SUm] By [T-var] the type 
variables happen in either the main (i.e. integrating) session or a single com- 
municating session. [T-rec] handles the recursive construction where P^-^^ is 
defined in Sect. [2l [T-eq] is necessary to make the current type system expres- 
sive enough but also bring in the infinity of typing for processes. For restricted 
processes e.g. {va)P, if a e fv(P), then it is dealt with by [T-hid] otherwise, by 



[T-VEi] [T-lab] absorbs the labeUing in the typing derivation. [T-nil] ,[T-Ch] 



are standard. 

We construct a (pure) type environment for the five agents in the business 
protocol and establish type judgements for them. 



Proposition 1 Let Ppit — auc > Auction, dTran > DTran, sTran i> STran, 
epay > EPay. We have that P^^t h Pbrokor > ^^brokcr^ ^pit 



1^ -Pbuyer; I> ^buyer^ ' 



Pprt ^ Ps( 



Ucr 



t>R: 



all 

'seller 



and Pp,t ^ Ph^nk > R''" 



bank ' 



4.2 Properties of Typing 

We study several key properties of the type system. The decidability of type 
inference comes first. 

Theorem 1 Given a process P and a type environment P , it is decidahle whether 
there exist R, A such that P h P\>Ro A. If there exist, then there is an algorithm 
to construct such a pair. 

The proof of Theorem [T] is by computing a so-called principal typing for a 
given process under some type environment. A principal typing is a particular 
typing for a process such that the process has the principal typing if and only if 
it is typable. A standard type checking algorithm can be constructed to (attempt 
to) compute the principal typing for each process, and the termination of the 
algorithm is guaranteed by the decidability of the structural congruence for 
processes (cf. Lemma [T]). 

To present the following three properties of the type system, we put forward 
an auxiliary definition: for a channel typing A — ci : Qi, . . . ,c„ : Qn, let 
be the multiple parallel-composition process Qi \ ... | Q„. In general, Z\ = Z\' is 
strictly stronger than [Z\] = \A'~\ . 

The Subject Congruence Theorem below implies that if P is typable and 
P = Q then Q is also typable and their typing have a certain structural relation. 



Theorem 2 (Subject congruence) If P h- P> Ro A and P = P' , then there 
exist R', A' such that P h P' > R' o A' , R = R' and \A] = \A'] . 
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The Subjection Reduction Theorem states that the typability of a process 
is preserved in an 'expected' way during its evolvement. The theorem rules out 
the standard type errors. For example, there is no F such that F h a[2..„] (c).Pi | 
a[„+i](c).F2 I /a or rh a[k]{c).Qi \ a[i]{c').Q2 where |c| \c'\. 

Theorem 3 (Subject reduction) IfFhP>RoA and P P' , then F h 
P' > R' o A' for some R' , A' satisfying the following conditions: 

1. Ifa = a§w where § G {!,?} then R y R' and [A'] \A'], 

2. //a = a[2..„](c) andF^a>B then r''^^-^''^ R' and B\1{c) \ [A] >- \A'^, 

3. Ifa^ a[fc] (S) and Fh a>B then R "^J^^ R' and B\k{c) \ \A'\ >- \A'} , 
4- If a = T then 

(a) either R y R' and \A'] [A'l, 

(h) or R R' andB\l{d) \ ...\ B\n{c) \ \A~\ >~ [zi'] for some B, n such 

that pid(B) = 

The last property says that the typing of a process under a type environment 
is unique up to a certain structural relation as in Theorem [2] 

Theorem 4 (Typing uniqueness) If F \- P> Ro A and F h P>R' oA', then 
R = R' and [A] = [Z\'] . 

5 Behavioural Analysis 

In this section, we use the two-level session types to analyse interactions of dis- 
tributed program components. Two system properties are dealt with: a channel 
safety property (also studied in the existing session type literature) and a be- 
havioural conformance between processes and sessions. But we first show how 
to represent and properly type a distributed system in our formalism. 

Informally, a program or a component in a distributed system is a pair of 
a participant name and a process. Following works in the process algebraic ap- 
proach to architectural analysis, such as [1I2|26|, we define (the architecture of) 
a system as a parallel composition of programs or components. Formally, we 
define that 

Definition 3 (Systems) A program or a component is a labelled process r : P , 
where r and P specify its name and behaviour, respectively. A system is a process 
of the form Sys = ri : Pi | . . . | r„ : P„. 

For example, the following system implements the business protocol intro- 
duced in the Introduction and formalised in Sect. 13.21 

SySg = broker : Fbrokcr | buyer^ : Fbuycri 

buyer2 : Pbuycr^ I seller : Fsoiior | bank : Pbank 

A session channel a marks i? in A if some occurrence of i? in A is marked 
by a in the projection. The following definition characterises how to use session 
types to properly type a system. 
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Definition 4 (Session well-typedness) Sys (as defined in DeJ. is well- 
typed by Aspc under F if 

- pid(Aspc) = {ri, . . . ,r„}, 

- r \- a> B if and only if a marks B in A^pc, and 

- r \- Pi> Agpc \ri for each 1 < i < n. 

If Sys is well- typed by ^spc, we call A^pc a session for Sys. In general, well- 
typedness is strictly stronger than typability. In other words, if Sys is well-typed 
by Aspc under F then F h Syst>^spc; but the other direction does not necessarily 
hold. Also, we observe that if Sys is well-typed by some session and Sys (as a 
process) is a close then Sys is well-typed by some pure session. 

The channel safety property below says that channel interference is prevented 
at the runtime of the system. 

Definition 5 (Channel privacy) The communicating channels in Sys are pri- 
vate if the following holds: if Sys — ^* (^6)(ri : Pi | . . . | r„ : P„) and c^v £ 
act(Pi) where § g {!,?}, then their exists a unique rj such that ri ^ rj and 
c€fc(P,). 

The channel privacy of a system is a consequence of well-typedness by a session 
specification, as the following theorem demonstrates. 

Theorem 5 //Sys is well-typed by A under F, then the communicating channels 
in Sys are private. 

Informally, the theorem is guaranteed by the determinism of message flow in the 
projected roles and the creation of fresh channels in the session establishment. 

Session conformance says that the runtime interactions of the system conform 
to its session specification. 

Definition 6 (Session conformance) P conforms to S, if there is a relation 
TZ of processes and sessions such that if (P, S) (1 TZ then the following conditions 
hold: 

- If P = {iA)){p : Qi I 9 : (32 I R), Qi Q'l and Qi Q'2, then there exists 
S' such that S^-^ S' and (P', S') G 7^ where P' = {vb){p : Q'l \ q : Q'2 \ R); 

-IfP= {vh){pi : Qi I . . . I p„ : Q,„ | R), Qi "''^^'^ Qi and Q, Q[ for 
all2 <i < m, then there exist B, S' such that F \- a\> B, S ^'^^'iii!^' g' g^^^j^ 
(P', S') G n, where P' = {iyb){iiyc){pi : Q[ \ . . . \ p,n : Q'J \ R)- 

An alternative explanation of session conformance is behavoural refinement, be- 
cause Def-ini actually defines a behavioural stimulation relation between sessions 
and processes. We observe that if P conforms to S and P = P' , then P' conforms 
to S. The following theorem confirms that session conformance of the system is 
also a consequence of well-typedness by a session specification. 

Theorem 6 //Sys is well-typed by Agpc then Sys conforms to ^spc- 
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By what we have estabhshed so far, we have the following two properties for 
the system SySg: 

Proposition 2 (1) The communicating channels are private in SySg. (2) The 
behaviour of SySg conforms to its session specification Proto. 

6 Process Slicing 

A type inference algorithm computes a typing, if possible, for a process under a 
type environment (cf. Theorem[T]). However, in the real-life cases, the developers 
have the session specification in the first place and then implement it, so they 
need to check whether a process is typable by the given session specification. A 
straightforward method to solve this type checking problem consists of two steps: 
to verify whether F h P\>A\r for some r : P, A, we first compute F h P\>Ap \r 
by a type inference algorithm and then check whether Ap = A. This algorithm 
is efficient, pre-supposing we have an efficient type inference algorithm. 

However, there is a drawback in the above algorithm: ii F \- P> A\r does not 
hold, the algorithm does not tell which session or sessions it violates. Since the 
session specification is modularised, it is desirable to know the violated session 
or sessions. In the following, we propose an algorithm based on process slicing 
to improve the type checking. Informally, the key idea of the algorithm is to 
decompose a process into parts and compare each part with a role projected 
from a corresponding session. 

Suppose each session channel in P is typed by F, namely, contained in the 
domain of F. The algorithm consists of two steps. The first step is the process 
slicing. Because the hiding and labelling operators are unnecessary for processes 
as the initial (not runtime) behaviours of programs or components, we assume 
that P is free of these two operators. We call P^'^' the main slice of P and the 
main slicing function xm is formally defined as follows. 

X^'" =X {[TecX]P)^'" = [vec X]{P)^'" , 

j 7r.(P)^*' if TT is a session action, 
1^ pxM otherwise; 

P^"-' -k Q^" where ★ is | or +. 

We call P^^ the c-slice of P, and the slicing function Xxc^ which are para- 
metric on c, is defined below. 

X'^^-^X {[tccX]PY'^ = [tccX]{PY% 

r Px= if fc(7r) ^ 5, 
[7r.(P)^'^ otherwise; 

P-^^ * Q^^ where ★ is | or 

After computing the slices of a process, we check whether each slice is struc- 
turally congruent to a corresponding role. Specifically, we verify if A["r = (tt.P)'^" 
B\l{b) = PXc, and B\k{c) = P^% where P h a>P. 



{tt.P)^'" = 



(Tr.P)'^^ 
(P*QV' = 
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By by our bound name convention, a name is not bound twice and does 
not have free and bound occurrences simultaneously in a process. The following 
theorem says that if P is typed by A\r under 7^ then the slicing of P 'coincides' 
with the role projection of A. 

Theorem 7 (Slicing-projection correspondence) If F \- P \> A\r{a) then 
the following three conditions hold: 

- A\r{a) = P^"', 

- «/a[2..n](c) G act(P) and r ^ a> B, then B\l{c) = P^% 

- ifa[k]ic) G act(P) and F \- at> B, then B\k{c) = P^- . 

Based on the above theorem, the correctness of the process slicing algorithm 
for the type checking is established. However, the method is not complete: the 
other direction of the theorem does not hold, as witnessed by the following 
counter-example. Thereby, the coincidence of role projection and process slicing 
does not entail the typability, and a technical implication is that the process 
slicing method cannot replace the type system in Sect. 14.11 

Proposition 3 Let Bi ^ {p,q : Vi) {p,q : Ui) end, B2 = {q,p : W2) ^ 
{q,p : U2) —7- end, Aq — Bi; B2, Iq h > Bi where i G {1, 2}, and P\ — a^j] (ci)- 
C\lv\.a^2 2](c2)- C2!i'2- ci?Mi. C2!u2. end. With a suitable role projection of B\ and 
B2, we have that Ao,Pi and Fq satisfy the three conditions in Theorem^ but 
not Fo h Pi t> Ao\p{ai,a2). 

7 Related Work 

Session type theories Our work is rooted in the forgoing theories of ses- 
sion types, especially the global description of interactions and multiparty ses- 
sions. Carbone et al. [4] presented two calculi to describe the communication 
behaviours from the global and local perspectives, respectively, and several prin- 
ciples to establish a sound and complete projection of the former to the latter. 
Some of the ideas behind the syntactic restrictions that we set up for the two- 
level sessions are related to their projection principles. The process calculus in 
the present paper is from Honda et al. |15| . in which the authors extended the 
traditional binary session types to the multiparty asynchronous context and 
solved several technical channels (as the result of the loss of two-party duality 
and the asynchrony) such that several fundamental properties of the session type 
discipline also hold by linearity analysis. The syntax for the calculus is abstract 
(e.g. messages are treated as message types) and does not contain some syn- 
tactic features that are considered as essential to session type theories (e.g. the 
distinction of internal and external choices and message-based branching be- 
haviours, as argued by Castagnal and Padovani [5,). Our intention is to focus 
on the two-level separation of session syntax and minimise the side techniques 
when studying relevant properties. We leave the work on enriching the syntax 
of session and calculi alike according to the existing session type theories in the 
future. 
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The subsequent work on session types witnesses a trend of increment on the 
expressive power to characterise richer conversation structures. For example, 
Denielou and Yoshida [8^ extended the multiparty session types to accommo- 
date the runtime change of session participants, i.e. the joining or leaving of 
participants, after a session is initiated. The same authors [28] introduced a fi- 
nite recursive type constructors into the multiparty session types to express a 
wide range of processes whose specification structures are parameterised whilst 
keeping the type checking for the resulting type system decidable. To improve 
protocol modularisation of session types, Demangeon and Honda introduced 
a way to define abstract nested protocols independent of their host protocols 
such that the host protocols can call the nested ones by passing them arguments 
such as values, roles, and even (names of) other protocols. In these studies, the 
enrichment of the session type construction leads to the increment of syntactic 
primitives in the process calculi. In contrast, the separation of two-level sessions 
in our work does not complicate the syntax of the calculus. An interesting point 
is to compare the concept of nested protocols by Demangeon and Honda |7| with 
that in the present paper. Their protocol calling is comparable to the procedure 
calling in the sequential programming, in which the exact position of the in- 
volvement must be specified to make sense of the main program. Our protocol 
nesting is more general in the sense that 'being nested by' just means 'occurring 
within'. Also, in our work, the meaning of the host protocol is complete with or 
without its nested protocol(s). 

Padovani |22j proposed a backward approach to session types, in which ses- 
sion types are defined as projected fragments of processes. More specifically, a 
process is sliced as per channels it uses and session types are a type approxi- 
mation of the channel-sliced fragments of the process. There are two connecting 
points between his work and ours: first, both make use of process slicing, in spite 
of different purposes; second, both (and 4 ) investigate sessions semantically. 

Session types as architectural connection The idea of viewing sessions as 
a behavioural approximation of processes comes from process algebraic analy- 
sis of software architectural connection. Architectural connection deals with the 
interactions of components which contrast to the local computations of compo- 
nents. Allan and Garlan [1] argued for the merits of implementing architectural 
connection in a special class of components called connectors. They formulated 
connector types based on the process algebra CSP [TTl and analysed the proto- 
col compatibility issues related to components and connectors. Following their 
approach, the present authors [IS] [55] proposed formal languages and methods 
to improve the architectural analysis. But these works assume the co-ordination 
of connectors for components and, hence, only handle the connector-based ar- 
chitectural styles. Bernardo et al. [2] distinguished the connector-based and non- 
connector-based styles, but their analytic techniques for the latter are based on 
the notion of 'inter-operability' of a process against others, which skirts around 
the problem. Multiparty session types offer a solution to overcome the restriction 
by describing the component interactions globally without using connectors. To 
employ multiparty session types to analyse architectural connection, we need 
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to be concerned with the behavioural compatibihty (defined as session confor- 
mance in the present paper) between component computations (processes) and 
their expected interactions (session types). 

8 Conclusions 

We address the problem of session integration in protocol specification and de- 
velop a theory of two-level synchronous multiparty session types, in which session 
integration is separated from session communication. As of the technical results, 
we develop a new type systc;ni and study its key properties. We also analyse a 
channel safety property and a behavioural relation between processes and ses- 
sions, and present a process slicing method to improve the type checking. 

We outline several interesting directions for further studies. First, we are 
working on the analysis of more behavioural properties of distributed computing 
systems in the novel session type theory. For example, behavioural refinement is 
two weak in some sense, and we want to establish a relation between behavioural 
refinement and equivalence between processes and sessions. Deadlock-freedom 
and liveness of processes are also important properties to be studied. The chal- 
lenge is to propcirly revise the set of typing rules so that the satisfaction of some 
natural properties by the sessions entails the satisfaction of those behavioural 
properties. Second, we also expect to enrich the syntax of our process calculus 
according to existing session type studies. Third, the process slicing method is 
not complete with respect to the type system and, therefore, one research ques- 
tion revolves around finding a complete method to facilitate the type checking. 
Finally, we are also interested in leveraging session types as a theoretic tool for 
software architectural analysis. 
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Appendix 

A Complete Set of Roles for The Protocol Example 
Roles of Proto for the five agents Let j G {1,2}. 

-^broker aUC[2..3](ai,2,ai,3)- ^ (dTrailp] (6l,3, ^'2,3)- + 

»e{i,2} 

sTran[2](ci,2,Ci,3,C2,3)- epayfa] (di,3, ^2,3)- 0) 

^buyer^. auC[j + i] (ai,2 , Ol.s) ■ (dTran[2..3] (^1,3, fo2,3)- + 

sTran[2..3](ci,2,ci,3,C2,3)- cpay-j2..3] ("^i.s, c^2,3)- 0) 
Keller =' (dTranlgj (61,3, 62,3). + sTran|3j (ci,2, ci,3, 02,3). 0) 

ie{l,2} 

sTran|2..3](ci,2,Ci,3,C2,3)- epayj^ gj (di,3, ^2,3)- 0) 
'Rbank=* epayi3]((ii,3,d2,3). 

ie{l,2} 

Roles of the four communicating sessions for the broker 

-^broker '== X/ ('^i.i+i '^^lid. [rec Xi] (ai,4_j!quote. (oi,i+i!invoice. 0. + 

oi,4_j?bid. ai,j+i!quote. (oi,j+i?bid. Xi + ai,4_i!invoice. 0)))) 

-^broker '= C2,3 Iprepaid. ci,2?confirm. 02,3! payment. 
^brokTr =' fc2.3!price. iJj^P^r rf2,3?transfer. 

Roles of the four communicating sessions for the buyers Let j e {1, 2}. 

-R^uyerj aij+i!bid. [recXi](ai,j+i?quote. ai,j+i!bid. X + 
ai,j+i?invoice. 0) + ai,j+i?quote. 

[recX2](ai,j+i!bid. (ai,j+i?invoice. + aij+i?quote. X2)) 

K'^ytr, = &i,3!paynient. 6i,3?order. 

^b^ye?, Ci,3?order. ci,2!confirni. RZ%r, = rfi.slamount. 

Roles of D Transaction and D Transaction for the seller 

-^SieT 62,3?price. 6i,3?payment. 6i,3!order. 
Keiitr '= C2,3?prepaid. ci,3!order. 01,3! payment. 
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The role of EPay for the bank 



-^bank di^3?amount. 6^2,3 'transfer. 



B Derivation of Tprt H Pbroker > ^broker 

This part of the appendix is dedicated to detaihng a derivation of the type 
judgement -Tprt ^ -Pbrokcr > ^broker Proposition [T] Derivations of other type 
judgements in Proposition [T] can be constructed in a similar way. 



1. by [T-NiL [T-tml] 



/"prt I- [> O (Ci,2, Ci,3, C2^3) : 



2. by [T-Sr] 



i"prt 1^ ^broker (ci,2, Cl,3, C2,3) : -Rbrokor 

3. by |[T-TML][T^ 



Tprt h di,3?transfer. R^^l^, t> o (^1,3,^2,3) : KZL, (ci,2, Ci,3, 02,3) : 

4. let i e {1,2} and 

PI '^^^ sTran[2](ci,2,ci,3,C2,3)- epay[2] (di,3, £^2,3)- di,3?transfer. iitroker 

5. by [T-Ch ][T-ACcT 



Pprt \- Pi i>sTran[2](ci,2,ci,3,C2,3)- epay[2](di,3,rf2,3)- 

6. by [T-nil ][T-tml][T-sr][ T-ch ][T-acc~ 

Pprt \- dTran[2](&i,2,&2,3)- &2,3!price. > dTran^j (61,2, &2,3)- 

7. let 

P2 = dTran[2](fei,2,&2,3)- + sTran^j (ci,2, Ci,3, 02,3)- epay^j (di,3, ^2,3)- 

8. by ©([Sl IiT-SUM]' 



Pprt ^ -Pbrokcr » ^2 ^prt I" ^broker ^2 



9. by |[T-TML][T-SR] 



Pprt I- ai^4-i!invoice. -PbroLr ■> -^2 * ■ (01,2,01,3) : ai,4_i!invoice. 
10. by I [T-var][T-tml][T-s"r| 



Pprt I" ai^i+i?bid. X >0o (01,2, 01,3) : ai,i?bid. X 
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11. let 



P3 = ai4_i?bid. ai^i+i!quote. (ai,i-|_i?bid. X + ai 4_i!invoice. 0) 
12. by ([91) (fTO lffFsuM][T-SR][T-EQT 



13. by [T-TML T-Sr] 



14. let 



-Tprt I- ai^i+i [invoice, ^broker » -^2 ° (ai.2,ai,3) : ai,i+i [invoice. 

PI = ai,4-Jquote. (ai,,+i!invoice. F^,,kcr + PsiPLLJ^}) 
P5 = ai^4_j!quote. (ai,i+i!invoice. + P3) 



15. by (gSldini [T-SUM T-sr] 



Pprt \- Pl> P2 + Pi ' o ai,4_i!quote. (ai,j+i [invoice. + P3) 
16. by |[T-REC][T^ 



-Tprt y- ai,i+ilhid. [rccX]P^ > -P2 + ° ai,i+i?bid. [mcX]Pl 



17. by UllKlll [T-SUm] {P^ + P2 = ^'1 + ^'2 ) 



Tprth ^ P^P^i + Ploi?- 

ie{l,2} 



auc 
okcr 



18. by [T-iNv] 



.all 



okcr 



This finishes the derivation. 



C More Examples 

We present two more examples to show the utility of our two-level session types 
in expressing the scenario-based specification of systems. 

Client-server system The first one is a client-server system, which consists of 
one client, two servers and a configurator. The client attempts to make requests 
to the servers and the configurator co-ordinates the client and two servers so 
that the client can only call the available server(s). Both servers have two states: 
they are either in the normal working order or preparing to update their data 
bases and shut down the service temporarily. The servers inform the configurator 
of their states in their conversations. Before the client calls the servers, the 
configurator tells them whether the servers are ready to take requests. 
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The following is a formulation of the session specification in our two-level 
session types, where C is the client, Si, S2 are two servers, F is the configurator, 
CSsystem is an integrating session type, and Control, Initi and Service are 
communicating session types. 

CSsystem {F, Si, S2 ■ Control) {} 

(E)fit.{ {C,F : Initi){};{C,S.r. Service){};t) 

ie{1.2} 

Control ^= ^t.( (j, 1 : update) — (j, 1 : ready) —?■ t) 

ie{2,3} 

Initi (1,2: ping^) ^ ((1, 2 : yes ^ end) ® (1, 2 : no) end) 

fcG{l,2} 

Service (1,2 : request) (2,1 : return) end 

The formulation captures the intuitive and coarse-grained understanding of 
the conversations between the four components. First, the conversations consists 
of three parts, represented by three communicating sessions. Second, the rela- 
tionship of these sessions is described by CSsystem, revealing the most essential 
design decisions of the system. For example. Service happens after Initi and 
together they form a recursive session. Control is also recursive and proceeds 
independent of the other two communicating sessions. Of course, many design 
details are to be worked out in the later development stage. For example, if the 
configurator replies 'no' to the client's pinging action in Initi , then the client is 
not allowed to initiate Service. Also, the messages received by the configurator 
in Control should affect its replies to the client's pinging action in Init. 

Quote request The second example is a quote request protocol which is modi- 
fied and simplified from the one in [28]. The protocol involves three agents, i.e. a 
buyer, a supplier, and a manufacturer, and consists of two parts: the first part 
is a conversation between the buyer and the supplier, in which the price of some 
item or good is negotiated; the second part, which is nested within in the first 
part, is for the supplier to confirm the price with the manufacturer. 

As before, the formulate consists of one integrating session and several (here 
is two) communicating sessions. B stands the buyer, S the supplier, and M the 
manufacturer. 

QuoteReq '^^ {B, S : Negotn){(S, M : Confirm}{}} 

Negotn (1, 2 : item) — > (2, 1 : quote) ((1, 2 : accepted) end © 
(1, 2 : newquote) ((2, 1 : accepted) — )> end © 
(2, 1 : rejected) — > end)) 

Confirm =^ (1, 2 : quote) ((1, 2 : yes end) ©(1,2: no) — > end) 

This example shows the necessity to distinguish protocol calling and protocol 
nesting (c.f. discussions in Sect. [7]). Because, as far as the protocol is concerned, 
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it sufRces to indicate the nesting relationship between Negotn and Confirm. 
Without specifying the nesting position of Confirm in Negotn, Negotn describes 
a complete conversation between the buyer and the supplier. 



D Proof Details 



Proof of Theorem [T] 

Proof. The proof of is a standard proof of decidability of type inference. Because 
of |[T-EQ]| a process has infinite many typing, but we show that we can compute 
a 'principal' typing for each process such that the process has a 'principal' typing 
if and only if it is typable. 

First, for each P, we compute a set sub|(P) (resp. subu(-P)) which is the 
smallest set such that 



1. if (Pi,P2) e sub|(P) (resp. subu(P)) then Pi | P2 
and 

2. if Qi \ Q2 = P (resp. Qi\JQ2 = P) then there are Pi, P2 such that Pi 
P2 EE Q2 and (Pi,P2) e sub|(P) (resp. subu(P)). 

The two sets are decidable because = is decidable (Lemma [1]). sub|(Z\) is 
defined as follows: (Z\i,Z\2) G sub|(Z\) if and only if |Z\i| = |Z\2| — \A\ and, for 
each l<i< (P^Pa) e sub|(P*) where Ai[i\ = c : PI , ZlaW = i ■ P2 and 
P^ = c : A[i] for some c. subu(Z\) is defined similarly. Note that if (Z\i,Z\2) G 
sub|(Z\) (resp. subu(^)), then Ai x A2. 

A principal typing of P under P is a typing derived by the rules in Figures 



P (resp. Pi U P2 = P), 
Qu 



[7] except [T-eq] and plus the following two rules: 

rhPt>RoA rhP't>R'oA' (P,P') e sub|(P") {A,A')eseti{A") 

P h P I P' P" o A" 

[T-COM+] 

r^P>RoA rhP'>R'oA' (P,P') e subu(P") {A,A')esctu{A") 



P h P + P' [> P" o A" 



[T-SUM+] 



We have the following lemma: 



Lemma 2 r^Pc>RoAif and only if P has a principal typing under P. 

The riglit-to-left direction of the lemma is obvious. For the other direction, 
we suppose P h P > R o A. In the derivative procedure, if commutative and 
associative laws for | and + are applied in [T-eq][ we have the same derivation 
by the additional two derived rules, and whenever other structural laws in Figure 
[2] are applied in [T-eq][ we just omit them. In this manner, we will obtain 
a principal typing for P. Therefore, the type inference of the type system is 
decidable. 

Note that if R' o A' , say, is the principal typing of P, then by Theorem |4] (to 
be proved) R = R' and \A'\ = \A'] . 
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Proof of Theorem [2] 

Proof. Suppose _r h P and P = P' . The proof is by induction on the derivation 
oi P = P' . The proof is divided into two parts. First, we show that the each rule 
in Figure [2] and its symmetric form respect the above theorem. Here we detail 
one of the most tricky rules: 

{ua)Pi I P2 = {ua){Pi I Pa) if a ^ HP2) 



(1) We first suppose P ^ {va)Pi | P2, P h P>PozA and a ^ fc(P2). Because P h 



P\>RoA is derived by [T-COm] and possibly by [T-eq] [T-tml] and/or [T-tmr] 



(for one or more times), it can be verified that P h {va)Pi > Pi o P h P2 i> 
R20A2, Ai -x. A2, R = Ri \ R2, and \A~\ = \Ai \ A2^ for some Ri,R2,Ai,A2. 
Here we have two possibilities. (1.1) Suppose a £ ch(Z\i). Thus, P h (t/a)Pi > 
Pi o Ai is derived by [T-hid] and possibly by [T-eq][T-tml][T-tmr] [ and, 



we have that P h Pi > Pi o c : Q, A'{, a € c, and Z\i = ci : 0, . . 
0,A[,c\a : Q,A'{,Cm+i ■ 0, . . . , Cm+n : 0. No matter a 6 US"'^i or not, 
we can rewrite the processes of type derivations for Pi and P2 to obtain type 
judgements P h Pi > Pi o Z\3 and P h P2 > P2 o -42 such that A3 x A4 and 
[A3 I A4] =jAi I A2^ (when applying P'-tml] 



[T-tmr] to prefix b for some 



b, we prefix b/a or some b' such that b'\a — b instead). Note that the rewritten 
derivations are based on a G fc(P2) and the channel assumption (cf. Sect. [2]). 
Then, we apply [T-hid] to type (i^a)(Pi | P2) and obtain the desired result. 
(1.2) Suppose a ^ ch(Z^i). Thus, P h (i^a)Pi > Pi o zii is derived by |[T-VEi] 



and possibly by [T-eq][T-tml] T-tmr] and we have that P h Pi i> Pi o A[ 
and Z\i = ci : 0,...,c„i : 0, A[,Cm+i : 0, . . . ,Cm+n '■ 0. Similarly, we rewrite 
the type derivation for P2 and obtain P h P2 > P2 o A2 such that Ai x A2 and 
[Z\^] = [Z\2] . Then, apply |[T-VEi]| to P h P2 > P2 o A'2 and obtain the desired 
result. (2) Then, we suppose P = (i/a)(Pi | P2), P h P > P o Z\ and a ^ fc(P2). 
The treatment is similar to the first case. 

The second part of the proof is to show that the laws of congruence respect 
the theorem. We choose to deal with the following rule: 



-Pi =^2 



[recX]Pi = [recX]P2 



We suppose P 
A = ci : Qi,. 
[T-eq][T 



-TML 



such that Pi 
induction hypotheses, P, X 



= [recX]Pi, P' = [recX]P2, Pi = P2, and P h P >RoA w here 
. , c„ : Q n- Because PI-Pi>PoZ\is derived by |[T-rec]| (and 
T-tmr] possibly), we have P, X h Pi > Pi o ci 
P[^l and = Qpl 



for each 1 < i < 71. 



Qi J ■ ■ • J : 

Since Pi = P2, 



by 



P2 > P2 o c[ 



Q'^ for some P2, c- and 



for each 1 < z < n such that P2 = Pi and Q[ 



[T-REC] we have that P h [recX]P2 > R o A' where R = R\^^ and A' = 



Q'n=Q 

= 



■Qn- By 



Q'l}^\ Therefore, we have that P = P' and [Z\] = [Z\']- 



Proof of Theorem [3] 
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Proof. The proof is by induction on the derivation of P P' according to 
rules in Figure |3] and depends on the value of a. The following only covers the 
most typical cases. 

(1) Suppose P — a.P'. In this case, a has three possible forms: a§u, a[2..„](c) 
or «[/;] (c) w here § g {?, !}. First, we let a = a§u. Because P h P>RoA is derived 
by [T-Sr] and possibly by [T-eq] T-tml] T-tmr] (for one or more times), we 
have that P \- P' > R' o A' for some R' , A' such that R = R' , [A'l = \c : 
Q,Zi"], and [Z\] EE \£ : a§w.g, zi"] for some c,Q,A". We have that l A] 

\A'~\ . Then, l et a — a[2,,„](c). Becaus e P\-P>RoA is derived by [T-iNv] 
(and possibly |[T-eq][T-tml][T-tmr]) , we have that P \- P' > R' o A' , R = 
ai2..n]{c).R' (thus R' R) and {A] = [Z\'] | B\l{c) w here Ph a h B. Lastly, 
let a — a[fc](e). Because P h P t> R o A is derived by T-ACC] (and possibly 
[T-eq][T-tml][T-tmr]| ), we have that P \- P' > R' o A' , R = a[k]{c).R' (thus 

R' R), and \A'] = | Bfl(5) where rhahBand2<fce pid(B). 

(2) Let ot — a\v and suppose P = Pi + P2 and P — s> P' is derived from 



Pi — > P' (the treatment is similar of it derived from P2 — > P'). By [T-SUm] 



(and possibly by [T-EQ T-TML][T-TMRj 



we have that P h Pi > Ri o Ai, 
P h P2 > P2 o ^2, R = R1UR2, and = U Z\2l • By induction hypotheses, 
P h P' P' o zi'. Pi ^ R' and [zii] [Z\']. Hence, R y R' and [zi] 

[Zi'l. 

(3) Let a = T and P = Pi | P2. Here we have two subcases. (3.1) Suppose 
P P' is derived from Pi P' (or P2 P'). The treatment for this 
subcase is relatively simple and similar to the last case and thus we omit it. (3.2) 

P ^ P' is derived from Pi P[ an d P2 ^ P^ a nd P' = P^ | P^ Becaus e 
PhP[>PoZiis derived by |[T-COm]| (and possibly | [T-eq][T-tml][T-tmr] \ , 
we have that P h Pi > Pi o Z\i and P h P2 P2 ° ^2 for some Pi, P2, ^1, ^2 
such that P = Pi I P2, and = \Ai \ Z\2l- By induction hypotheses, 
P h Pi' > P'l o A'l and P h P^ > R'^ o A'^ for some Pi , P^ , Z\'i , Z\'2 such that 



Pi ^ P'l, R2 y R'2, r^i] 

Hence, P h P' > P; | P^ o 



\A'i] and rz\2l 



alv 



A'2. 



Z\'i I Z\^, Pi I P2 ^ P'l 



^ rz\^]. Also, Z\'i 
R'2 and [Z\i I Zia] -^y 

[Z\'i I Z\^]. (3.3) P ^ P' is derived from Pi "''^^"^ and P, i^' for 

each 2 < i < n. Suppose P h aAB. Because PhP>PoZ\is derived by 
[T-COm] for n — 1 times (and possibly [T-eq][T-tml] T-tmr] ), we have that 



P h Pi Pi o zii and P h PiAPi o Ai {2 < i < n) for some Pi, Pi, Ai,A, such 
that P = Pi I P2 I . . . I P„ and [Z\] = [Z\i] | [Zi2l | • . • | \A„]. By induction 
hypotheses, P h P^' > R[ o A[ and P h P^AR^ o A'^ {2 < i < n) for some 



a[2..,i](c) 



[All I 5tl(c), and 
. X Z\' . Therefore, 



P'l, P',, Z\i, such that Pi '-^ R[, R, ^ R[, \A'i 
\A[~\ = \Ai \ I P|'i(c) for each 2<i<n. Also, A'l x A'^ : 
[Z\'i I . . . I Z\;i ^ Pri(5) I . . . I B\n{c) I \Ai \ . . . \ A^l 

(4) Let a — a§w. Suppose Q = P, Q' = P', and P — > P' is derived from 
Q Q'. By TheoremU P h gi>PioZ\i such that Pi = P and [Z\i] ee [Z\1. By 
induction hypotheses, P h Q' > P'l o Z\'i such that Pi ^ P'l and [Z\i] -^^^ f'^'i]. 
Then, by Theorem [5] again, we have the desired result. 
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Proof of Theorem |4] 



Proof. The proof is by induction on the derivation oir\-Pt>RoA and F h 
P t> R' o A' according to rules in Figure [71 We detail two cases. (1) Suppose 
P = a[2..n](c).-Pi and r\-P>RoA is derived by [T-iNv] Let P \- a> B and 
|pid(i?)| = n. Thus, P \- Pi\> Rio Ai for some Ri, Ai su ch that R = a\2..n]{c)-Ri 
and Ai=£: B\1,A. Also, h P t> i?' o Zi' and possibly [fFEQ][T-TML][T-TMR 



for one or more times. Thus, P \- Pi> R[ o A'l for some R[, A'l such that R' 
a[2..n](c)-i?'i and = | By induction hypotheses, i?i = R'^ and 

[All ^ \A[l Therefore, R = R' and [A] = \A'] (2) Sup pose P = [recX]P', 
and P h Pt>RoA and T h PoR'oA' are derived by|[T-REC][ Let T h F'>i?ioai : 



Q,\ where i?^' = i? and ci : Q\ 



Ql J ■ • • : C„ 

P'>i?2o£i : g?,. 
By induction hypotheses, Ri = i?2 and \Ql \ ... | Q, 
each 1 <i<n. Thus, we have R = R' and [Z\] = [Z\'] 



Ql where i?'^' = i?' and £i : 



= Z\, and P h 



= A'. 

Ql] for 



Proof of of Theorem [5] 

Proof. (Sketch) This lemma is guaranteed by the projection of sessions into roles 
and the generation of fresh channels in the session establishment. A formal proof 
is by induction on Sys — ^, : Pi \ ■ . ■ \ n : P„). 



Proof of Theorem [6] 

Proof. Wc first put forward two lemmas, whose proofs are by the syntax of B 
or A. 

Lemma 3 (1) If B B' then B\p{c) ^ B'\p{c') and B\q{£) ^ B'\q{d') 
for some b ^ c'. (2) If B]p{c) P and B\q{c) Q then there are B',c' 
such that B ^ B', P = B' \p(c'}, Q = B' \q(c'} and c' C £. 

Lemma 4 Let p — pi, . . . ,pm and b marks B in A. (1) If A A' ® B{p) then 
A\pi A'\pi and A\p, A'\p, (2<i<m). (2) If A\pi '"'^^'^ Pi 

and A \pi '^^^ Pi (2 < i < m) then there is A' such that Pj = A' \pj (1 < j < rn) 
and A ^ A' ® B{p). 

Suppose Sys is well- typed by Agpc- We construct an TZ such that (P, S) eTZ 
if and only if 

- Sys P - iiyb){l : Pi I . . . I n : P„), 

- Aspc S* = C ® Pi ® . . . (g) Pfe, 

- for each 1 < i < n, P \- Pi > Ri o ci : Q\, . . . ,Ck '■ Q\ where 

• C\i{h) y R„ 

• Bj \i{cj) >~ Qj for each 1 < j < fc. 
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First, we have that (Sys, Agpc) G TZ. Then, let (P, S) e TZ and suppose 
the above five induction hypotheses. Without loss of generality, we suppose (1) 

Pi ^ Pi and P, ^ P^ or (2) Pi Pi and P, ''^"^ P/ (2 < z < m) 

and 6 marks Pq- 

(1) Suppose 6 e Cj . By Theorem H Q] Q]' and ^ q2'^ Thus, 
by LemmaEl Bj\l{dj) ^ B'j\l{d'j) and Bj\2{d^) ^ B'^l'^ic'j) for some P},c' 

such that P, '-^ P;-, P;ri(5;) ^ Q]' and P;r2(5;.) >- Qf. Also, B,\i{dj) = 
B'j \i{c'j) for each 3 < i < n. Therefore, let S' = C ® B[ ® B2 ■ ■ . ® Bk and 
P' = {vh){l : Pi' I 2 : P^ I 3 : P3 I ... I P„). We have that (P',5') G 7e. (2) 
By Theorem m Pi '''"-Zlili'^''^ and P, P^ (2 < i < m). Thus, by Lemma 

H Cr(a) ''■'u:^''"' ^'^(a) and C\{a) C"r(a) (2 < i < m) for some C",a,a' 

such that 6 e 5 D a', C ^'-zH^^" c', C'\l{a') >- PJ (2 < / < m). Also, C\l{a) = 
C \l{a') for each m+ \ <l <n. Therefore, let S" = C" (g) Pq Pi (8) . • . (8) Pfe and 
P' = {vb){l : Pi \ ...\m: Pl^ \ P,„+i . . . | P„). We have that (P', 5') G 7^. 



Proof of Theorem [7] 

Proof. We prove a more general proposition: ifPhPt>PoZ\ then 

- Px« = P, 

- if a[2..„](c) G act(P) and P h at>P, then Pfl = P^-, 

- if a^k]{c) G act(P) and P h at>P, then B\k = P^% 

- if A[i\ =c:Q, then Q = P^- . 

We observe that if the above proposition holds then Theorem [7] immediately 
follows. The proof of the proposition is by induction on the derivation of P h Po 
RoA according to Figure [71 The basic cases are simple. For the non-basic cases, 
we choose to deal with two typical cases. (1) P = a[2..n](c).P' and P h P>Po Z\ 
is derived by [T-iNv] Let R = a[2..„](c).P' and A — c : P|'1,Z\'. By induction 
hypotheses, P'^" = P' and, thus, P^"-' = R. Suppose 6[2..„](c') G act(P), P h 
6>P, and c'nch(zi) = 0.lib = a (and thus c' = c, then by induction hypotheses 
and the rule [T-iNv] P'^" = P fl. If 6 ^ a . . ., by induction hypotheses, we 
have the same result. The case of b[i]{c') is similar. Suppose A[i] = c' : Q. 
Then, c' n c = and A'[i + 1] = c : Q. Thus, P^^' = P"^=' and by induction 
hypotheses Q = P^~-' . (2) P = Pi | P2 and P h Pi>Po Z\ is derived by |[T-COM] 
Let P = Pi I P2, Z\ = zii I A2 and P h Pi > P, o A, where i G {1,2}. By 



induction hypotheses and the rule [T-COm] we can obtain the four propositions 
above. (N.B. we have suppose P does not contain the hiding operator, so the 



rules [T-hid] and [T-VEi] are not apphcable 



